Skip to main content
SpringerLink
Log in
Book cover

International Conference on Information and Communications Security

ICICS 2022: Information and Communications Security pp 589–607Cite as

Chuchotage: In-line Software Network Protocol Translation for (D)TLS

  • 1093 Accesses

Part of the Lecture Notes in Computer Science book series (LNCS,volume 13407)

Abstract

The growing diversity of connected devices leads to complex network deployments, often made up of endpoints that implement incompatible network application protocols. Communication between heterogeneous network protocols was traditionally enabled by hardware translators or gateways. However, such solutions are increasingly unfit to address the security, scalability, and latency requirements of modern software-driven deployments. To address these shortcomings we propose Chuchotage, a protocol translation architecture for secure and scalable machine-to-machine communication. Chuchotage enables in-line TLS interception and confidential protocol translation for software-defined networks. Translation is done in ephemeral, flow-specific Trusted Execution Environments and scales with the number of network flows. Our evaluation of Chuchotage implementing an HTTP to CoAP translation indicates a minimal transmission and translation overhead, allowing its integration with legacy or outdated deployments.

Keywords

  • Protocol conversion
  • IoT
  • Application layer protocols
  • Software defined networking
  • TLS
  • Cross-layer optimization

This is a preview of subscription content, access via your institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    Communication servers including a virtual gateway to perform protocol translation.

  2. 2.

    The term chuchotage is a form of interpreting where the linguist is near a small target audience and whispers a simultaneous interpretation of what is being said.

  3. 3.

    https://ryu-sdn.org/.

  4. 4.

    https://github.com/keith-cullen/FreeCoAP.

  5. 5.

    https://github.com/occlum/occlum.

References

  1. Semantic Integration & Interoperability Using RDF and OWL (2005). https://www.w3.org/2001/sw/BestPractices/OEP/SemInt/. Accessed 15 Oct 2020

  2. AMD SEV-SNP: Strengthening VM isolation with integrity protection and more. White paper, Advanced Micro Devices, January 2020

    Google Scholar 

  3. Anati, I., Gueron, S., Johnson, S., Scarlata, V.: Innovative technology for CPU based attestation and sealing. In: Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, New York, NY, USA, vol. 13, p. 7. ACM (2013)

    Google Scholar 

  4. Baek, J., Kim, J., Susilo, W.: Inspecting TLS anytime anywhere: a new approach to TLS interception. In: Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, pp. 116–126 (2020)

    Google Scholar 

  5. de Carné de Carnavalet, X., van Oorschot, P.C.: A survey and analysis of TLS interception mechanisms and motivations. arXiv e-prints. arXiv-2010 (2020)

    Google Scholar 

  6. Coker, G., et al.: Principles of remote attestation. Int. J. Inf. Secur. 10(2), 63–81 (2011). https://doi.org/10.1007/s10207-011-0124-7

    CrossRef  Google Scholar 

  7. Derhamy, H., Eliasson, J., Delsing, J.: IoT interoperability-on-demand and low latency transparent multiprotocol translator. IEEE Internet Things J. 4(5), 1754–1763 (2017)

    CrossRef  Google Scholar 

  8. Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard), August 2008. https://doi.org/10.17487/RFC5246. https://www.rfc-editor.org/rfc/rfc5246.txt. Updated by RFCs 5746, 5878, 6176, 7465, 7507, 7568, 7627, 7685, 7905, 7919

  9. Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(2), 198–208 (1983)

    CrossRef  MathSciNet  MATH  Google Scholar 

  10. Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446, August 2018. https://doi.org/10.17487/RFC8446

  11. Garbelini, M.E., Wang, C., Chattopadhyay, S., Sumei, S., Kurniawan, E.: SweynTooth: unleashing mayhem over bluetooth low energy. In: 2020 USENIX Annual Technical Conference (USENIX ATC 2020), pp. 911–925. USENIX Association, July 2020. https://www.usenix.org/conference/atc20/presentation/garbelini

  12. Gregg, B.: Systems Performance, 2nd edn. Pearson, London (2020)

    Google Scholar 

  13. Hosseinzadeh, S., Liljestrand, H., Leppänen, V., Paverd, A.: Mitigating branch-shadowing attacks on intel SGX using control flow randomization. In: Proceedings of the 3rd Workshop on System Software for Trusted Execution, pp. 42–47 (2018)

    Google Scholar 

  14. Hunt, G.D.H., et al.: Confidential computing for openpower. In: EuroSys 2021, New York, NY, USA, pp. 294–310. ACM (2021). https://doi.org/10.1145/3447786.3456243

  15. Kate, A., Goldberg, I.: Distributed private-key generators for identity-based cryptography. In: Garay, J.A., De Prisco, R. (eds.) SCN 2010. LNCS, vol. 6280, pp. 436–453. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15317-4_27

    CrossRef  MATH  Google Scholar 

  16. Kreutz, D., Ramos, F.M., Verissimo, P.E., Rothenberg, C.E., Azodolmolky, S., Uhlig, S.: Software-defined networking: a comprehensive survey. Proc. IEEE 103(1), 14–76 (2014)

    CrossRef  Google Scholar 

  17. Lam, S.S.: Protocol conversion. IEEE Trans. Softw. Eng. 14(3), 353–362 (1988)

    CrossRef  Google Scholar 

  18. Lee, D., Kohlbrenner, D., Shinde, S., Asanović, K., Song, D.: Keystone: an open framework for architecting trusted execution environments. In: Proceedings of the Fifteenth European Conference on Computer Systems. EuroSys 2020, New York, NY, USA. ACM (2020). https://doi.org/10.1145/3342195.3387532

  19. Lee, H., et al.: maTLS: How to make TLS middlebox-aware? In: NDSS (2019)

    Google Scholar 

  20. Li, J., Chen, R., Su, J., Huang, X., Wang, X.: ME-TLS: middlebox-enhanced TLS for internet-of-things devices. IEEE Internet Things J. 7(2), 1216–1229 (2020). https://doi.org/10.1109/JIOT.2019.2953715

    CrossRef  Google Scholar 

  21. McKeen, F., et al.: Innovative instructions and software model for isolated execution. Hasp@ isca 10(1) (2013)

    Google Scholar 

  22. McKeown, N., et al.: Openflow: enabling innovation in campus networks. SIGCOMM Comput. Commun. Rev. 38(2), 69–74 (2008)

    CrossRef  Google Scholar 

  23. Medina, J., Paladi, N., Arlos, P.: Protecting OpenFlow using Intel SGX. In: 2019 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN), pp. 1–6. IEEE (2019)

    Google Scholar 

  24. Nilsson, A., Bideh, P.N., Brorsson, J.: A survey of published attacks on Intel SGX. arXiv preprint arXiv:2006.13598 (2020)

  25. Noura, M., Atiquzzaman, M., Gaedke, M.: Interoperability in internet of things: taxonomies and open challenges. Mob. Netw. Appl. 24(3), 796–809 (2019)

    CrossRef  Google Scholar 

  26. Safaric, S., Malaric, K.: Zigbee wireless standard. In: Proceedings of ELMAR 2006, pp. 259–262 (2006). https://doi.org/10.1109/ELMAR.2006.329562

  27. Shen, Y., et al.: Occlum: secure and efficient multitasking inside a single enclave of Intel SGX. In: Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2020, New York, NY, USA, pp. 955–970. ACM (2020). https://doi.org/10.1145/3373376.3378469

  28. Svenningsson, J., Paladi, N., Vahidi, A.: Faster enclave transitions for IO-intensive network applications. In: Proceedings of the ACM SIGCOMM 2021 Workshop on Secure Programmable Network INfrastructure, SPIN 2021, New York, NY, USA, pp. 1–8. ACM (2021). https://doi.org/10.1145/3472873.3472879

  29. Svenningsson, J., Paladi, N., Vahidi, A.: SGX-bundler: speeding up enclave transitions for IO-intensive applications. In: The 22nd IEEE/ACM International Symposium on Cluster, Cloud and Internet Computing. IEEE-Institute of Electrical and Electronics Engineers Inc. (2022)

    Google Scholar 

  30. Tolk, A.: Composable mission spaces and M &S repositories-applicability of open standards. In: Spring Simulation Interoperability Workshop, Arlington, VA (2004)

    Google Scholar 

  31. Tu, W., Wei, Y.H., Antichi, G., Pfaff, B.: Revisiting the open vswitch dataplane ten years later. In: Proceedings of the 2021 ACM SIGCOMM 2021 Conference, SIGCOMM 2021, New York, NY, USA, pp. 245–257. ACM (2021). https://doi.org/10.1145/3452296.3472914

  32. Uddin, M., Mukherjee, S., Chang, H., Lakshman, T.: SDN-based multi-protocol edge switching for IoT service automation. IEEE J. Sel. Areas Commun. 36(12), 2775–2786 (2018)

    CrossRef  Google Scholar 

  33. Yao, J., Zimmer, V.: Virtual Firmware, pp. 459–491. Apress, Berkeley (2020). https://doi.org/10.1007/978-1-4842-6106-4_13

  34. Zanella, A., Bui, N., Castellani, A., Vangelista, L., Zorzi, M.: Internet of things for smart cities. IEEE Internet Things J. 1(1), 22–32 (2014)

    CrossRef  Google Scholar 

Download references

Acknowledgment

This work was financially supported in part by the Swedish Foundation for Strategic Research, with the grant RIT17-0035, and by the Wallenberg AI, Autonomous Systems and Software Program (WASP).

Author information

Authors and Affiliations

  1. Lund University, Lund, Sweden

    Pegah Nikbakht Bideh & Nicolae Paladi

  2. CanaryBit, Stockholm, Sweden

    Nicolae Paladi

Authors
  1. Pegah Nikbakht Bideh
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nicolae Paladi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Pegah Nikbakht Bideh .

Editor information

Editors and Affiliations

  1. University of Malaga, Malaga, Spain

    Cristina Alcaraz

  2. University of Surrey, Guildford, UK

    Liqun Chen

  3. University of Kent, Canterbury, UK

    Shujun Li

  4. University of Milan, Milan, Italy

    Pierangela Samarati

A Appendix

A Appendix

1.1 A.1 Common IoT Communication Protocols

In the TCP/IP network model, the physical or data link layer is responsible for physical transmissions; characteristics of applications - such as latency and availability - directly impact traffic characteristics on the link layer. The network layer is responsible for routing and forwarding packets; considering that IoT devices are often resource-constrained, the information necessary for routing should be kept at a minimum. Finally, transport layer protocols (such as TCP and UDP) manage end-to-end communication between network endpoints.

Physical network gateways are commonly used for interoperability in the physical and network layers or transport layer [25]. Gateways have limited scalability [25]: as the number of IoT devices increases, special connectors are required for their interaction, thus adding both cost and complexity to the network.

Application communication between network endpoints is implemented on the application layer. Middleware can perform translation in the application layer; however, connecting middleware components risks further reducing interoperability by locking applications to a specific technology. Interception proxies are an alternative for application layer translation; however, proxies cause delays since all traffic transits through proxies even when translation is unnecessary [7].

Proxies and middleware currently available for application layer protocol translation are increasingly unsuitable for secure, distributed, and transparent application layer protocol translation.

Several application layer protocols - namely HTTP, CoAP, MQTT, and AMQP - have been widely reviewed in academic publications and adopted in large scale deployments. We compare these protocols in Table 1.

Table 1. IoT protocols comparisons
Full size table

1.2 A.2 Open vSwitch Overview

OpenvSwitch (OvS) is an open source programmable switch [31] that implements packet forwarding on the datapath; it is a flow-based switch, where clients install flows determining forwarding decisions. Flows are installed in a cache level structure that assists the datapath to execute actions on received packets, e.g. allow, drop, etc. For each ingress packet, the datapath consults its cache and forwards the packet to its destination if matching entries exist. For each cache miss, the datapath issues an upcall and forwards the packet to ovs-vswitchd. A datapath can be deployed as a kernel module or in user space with additional firmware support. Packet classification in OvS is computationally expensive, mostly due to the many types of matching fields. Matching is implemented in a hash table of flow rules, with matching fields hashed as keys. OvS uses a modified Tuple Space Search (TSS) algorithm for packet classification. The algorithm searches through the hash map tables based on the maximum entry’s priority and terminates after finding the highest priority matching flow rule. Early OvS releases implemented OpenFlow processing exclusively as a kernel module. However, the difficulty of developing and updating kernel modules motivated moving packet classification to user space. A multi-level cache structure kernel implementation compensates the resulting performance impact. The cache structure consists of two levels with increasing lookup costs: a microflow cache (or Exact Match Cache) and a larger megaflow cache. The megaflow cache matches multiple flows with wildcards [23].

Open vSwitch Forwarding. Figure 6 illustrates the OvS internals. An incoming packet reaches the datapath from either a physical or virtual NIC (1). In the datapath, the switch runs a first search based on an exact match (2). If there is a matching entry in the microflow cache, the packet is sent to the specific table in the megaflow cache to retrieve the required actions. Otherwise, the forwarding process performs a second search in the next cache line (3). Failing to find a match, the datapath uses upcalls (4) to inform the ovs-vswitchd that it cannot handle the packet. The ovs-vswitchd uses the classification process (5) to obtain a matching rule via its flow tables. Next, ovs-vswitchd returns to the datapath, inserts the entry in the cache (6), and returns the packet to the kernel (7). Finally, the datapath forwards the packet to the intended destination (8). Failing to find matching information in the flow tables, ovs-vswitchd sends a packet-in request to the network controller to get a matching rule for the unknown packet.

Fig. 6.
figure 6

An overview of Open vSwitch internals

Full size image

Rights and permissions

Reprints and Permissions

Copyright information

© 2022 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Nikbakht Bideh, P., Paladi, N. (2022). Chuchotage: In-line Software Network Protocol Translation for (D)TLS. In: Alcaraz, C., Chen, L., Li, S., Samarati, P. (eds) Information and Communications Security. ICICS 2022. Lecture Notes in Computer Science, vol 13407. Springer, Cham. https://doi.org/10.1007/978-3-031-15777-6_32

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-15777-6_32

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-15776-9

  • Online ISBN: 978-3-031-15777-6

  • eBook Packages: Computer ScienceComputer Science (R0)

search

Navigation